DATA PROCESSING & ROLE ALLOCATION ADDENDUM
SeeMeSol Multi-Tenant SaaS Platform
Version 5.3 | Effective Date: March 2026 | seemesol.com/legal-dpa/
About this document: This DPA applies to all three jurisdictions in which SeeMeSol operates: the Philippines (SeeMeSol Inc.), Singapore, and Indonesia (both SeeMeSol Pte Ltd). Sections 1–14 contain the governing terms applicable across all three jurisdictions. Appendix A sets out the current approved Sub-Processors. Appendix B is a consolidated Data Processing Schedule: it satisfies the written particulars requirement under Philippine law (RA 10173) and serves as the equivalent written record for Singapore (PDPA 2012) and Indonesia (Law No. 27 of 2022) purposes. Jurisdiction-specific notes are indicated in the right-hand column of the schedule table.
This Data Processing & Role Allocation Addendum (“DPA”) is incorporated into and forms part of the Agreement between SeeMeSol and Customer, as identified in the applicable Order Form. This DPA is accessible at seemesol.com/legal-dpa/ and is binding on the parties from the date the Agreement comes into effect. In the event of any conflict between this DPA and the Agreement, this DPA prevails in respect of personal data processing. SeeMeSol will provide Customer with at least thirty (30) days’ written notice of any material changes to this DPA.
SeeMeSol operates in a hybrid role as both Controller and Processor depending on the activity. SeeMeSol’s obligations as Processor shall prevail with respect to all identifiable personal data processed on behalf of the Customer or a data subject. SeeMeSol’s separate Controller obligations apply only to anonymised, aggregated, or platform governance data that does not directly identify any individual. The role allocation is set out in detail in Section 2 and summarised in Appendix B.
1. Definitions
“Applicable Data Protection Laws” means all applicable privacy and data protection laws and regulations governing the processing of personal data under this DPA, including where relevant: the Philippines Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations; the Singapore Personal Data Protection Act 2012 (PDPA); the Indonesia Personal Data Protection Law (Law No. 27 of 2022); and any other applicable national or regional legislation. The applicable law will depend on the jurisdiction in which the Customer is registered and in which data subjects are located.
“Personal Data” means any information relating to an identified or identifiable individual.
“Controller” means an entity that determines the purposes and means of processing personal data.
“Processor” means an entity that processes personal data on behalf of a Controller.
“Platform” means SeeMeSol’s suite of hosted, on-demand software solutions as defined in the Agreement, including SeeMeConnect, SeeMeHire, and associated products.
“Data Subject” means an individual whose personal data is processed under this DPA.
“Sub-Processor” means any third party engaged by SeeMeSol to process personal data on its behalf under this DPA.
2. Role Allocation
The parties acknowledge that the Platform operates as a multi-institution talent and recruitment network, resulting in multiple data processing roles depending on the activity. The roles are allocated as follows.
2.1 Institutional Data (HEI)
Where a Higher Education Institution (“HEI”) uploads or maintains student or alumni data on the Platform: (a) the HEI acts as Controller of that data; (b) SeeMeSol acts as Processor in hosting and enabling access to such data; and (c) SeeMeSol also acts as an independent Controller in relation to platform governance, security, system-wide analytics, and retention framework administration. Where employer-originated data (including job postings and company profiles) is displayed or accessible within the HEI’s platform environment, SeeMeSol acts as Processor solely for the routing and display of such data, and the Employer remains the Controller of that data at all times.
2.2 Employer Access and Applications
When a Registered User applies to a job or opportunity via the Platform: (a) the Employer becomes an independent Controller of application data received; (b) SeeMeSol acts as Processor solely for the transmission and routing of the application; and (c) thereafter, the Employer determines its own retention and processing practices for such data.
2.3 System-Wide Analytics
SeeMeSol acts as an independent Controller in relation to anonymised and aggregated analytics, platform usage statistics, security monitoring, fraud prevention, and product improvement. All such analytics are anonymised and shall not identify any individual.
3. Description of Processing
3.1 Categories of Data Subjects
Personal data may relate to the following categories of data subjects: (a) students and alumni; (b) employer representatives; (c) HEI representatives and staff; and (d) government or regulatory users where applicable.
3.2 Categories of Personal Data
Personal data processed under this DPA may include: name; contact details (email address, telephone number); curriculum vitae data; education history; employment history; application materials; platform usage data; and profile preferences. Sensitive personal data (such as health data, biometric data, or government identification numbers) is not intentionally collected by SeeMeSol unless voluntarily provided by the data subject in the course of using the Platform.
4. Nature and Purpose of Processing
SeeMeSol processes personal data for the following purposes: (a) hosting and storage of Platform data on cloud infrastructure (see Section 7 for sub-processors); (b) enabling employer-HEI connectivity and talent matching; (c) routing and facilitating job applications; (d) providing user dashboards and reporting; (e) facilitating in-platform messaging; (f) generating anonymised analytics and platform insights; and (g) platform security, maintenance, and regulatory compliance.
5. Cross-Border Transfers
The Platform is hosted in Singapore. Personal data may be accessed by Employers, HEIs, or platform users located in other jurisdictions. SeeMeSol will implement appropriate safeguards for cross-border personal data transfers, which may include one or more of the following mechanisms as applicable: (a) contractual data transfer agreements incorporating standard clauses approved or recognised under Applicable Data Protection Laws; (b) the data subject’s informed consent to the transfer; (c) transfers necessary for the performance of a contract between the data subject and the Customer; or (d) reliance on adequacy determinations made by the relevant regulatory authority.
SeeMeSol will document the transfer mechanism relied upon for each category of cross-border transfer and make such documentation available to Customer upon reasonable written request. Customer warrants that it has obtained all necessary consents or established all required legal bases for cross-border transfers of personal data it uploads to the Platform.
6. Security Measures
SeeMeSol shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, at a minimum: (a) encryption of personal data in transit and at rest; (b) role-based access controls limiting data access to authorised personnel; (c) audit logging of access and processing activities; (d) secure authentication mechanisms; (e) regular vulnerability assessments and penetration testing; (f) incident response procedures; and (g) information security management processes aligned with ISO 27001 or equivalent standards.
SeeMeSol shall review and update these measures periodically to address evolving threats and ensure continued compliance with Applicable Data Protection Laws.
7. Sub-Processors
SeeMeSol may engage Sub-Processors to assist in providing the Platform services. SeeMeSol shall ensure all Sub-Processors are contractually bound by data protection obligations no less protective than those in this DPA. SeeMeSol shall exercise reasonable due diligence in the selection and ongoing monitoring of Sub-Processors. Subject to the liability limits in Article 8 (Limitation of Liability) of the SeeMeSol General Terms and Conditions, SeeMeSol shall be liable to Customer for any breach of this DPA caused by a Sub-Processor’s acts or omissions to the same extent as if SeeMeSol had performed the processing directly, except where SeeMeSol can demonstrate that it exercised reasonable care in selecting and supervising the Sub-Processor and the breach occurred despite those measures.
The current list of approved Sub-Processors is set out in Appendix A to this DPA and maintained at seemesol.com/legal-dpa/. SeeMeSol shall provide at least thirty (30) days’ prior written notice to Customer before engaging any new Sub-Processor or making any material change to an existing Sub-Processor’s role (“Sub-Processor Notice”).
Customer may object to a new Sub-Processor by written notice to SeeMeSol within fourteen (14) days of the Sub-Processor Notice, setting out the reasonable grounds for the objection. The parties shall negotiate in good faith to resolve the objection. If no objection is received within fourteen (14) days, Customer is deemed to have accepted the new Sub-Processor.
8. Data Retention
8.1 Active Accounts
Personal data associated with active Platform accounts is retained for the duration of the account’s active status and for a period of two (2) years following account termination or last active use, unless a shorter retention period is required by Applicable Data Protection Laws or agreed in writing. For the purposes of this DPA, “last active use” means the most recent occurrence of: (a) login to the Platform; (b) submission of an application, profile update, or job posting; or (c) any other material interaction with the Platform, excluding automated system communications.
8.2 Account Deletion
Upon account deletion: (a) profile access ceases immediately; (b) no further Platform activity is permitted from the deleted account; and (c) previously submitted job applications remain with the relevant Employer as that Employer is an independent Controller of such data from the point of receipt.
8.3 Backup Systems
Personal data may remain in secure backup systems for a period not exceeding ninety (90) days from the date of deletion or account termination, after which it will be automatically purged from backup systems.
8.4 Anonymised Data
Anonymised and aggregated statistical data derived from Platform activity may be retained indefinitely, as such data does not constitute personal data.
8.5 Retention Review
SeeMeSol will review retained personal data at least annually and will delete, anonymise, or pseudonymise data that is no longer required for the purposes for which it was collected, unless retention is required by Applicable Data Protection Laws or for the establishment, exercise, or defence of legal claims.
9. Data Subject Rights Assistance
Where SeeMeSol acts as Processor, SeeMeSol shall provide reasonable assistance to Customer in fulfilling its obligations to respond to data subject requests, including requests for access, correction, deletion, restriction, and objection. Such assistance shall be provided within ten (10) business days of SeeMeSol receiving a complete and valid request from Customer, or within such shorter period as may be required by Applicable Data Protection Laws. SeeMeSol may request reasonable additional information from Customer where necessary to locate and process the relevant data subject’s records, in which case the response period runs from receipt of such information.
Where SeeMeSol acts as independent Controller (including in relation to platform-level analytics and governance data), SeeMeSol shall handle data subject requests relating to that processing directly and in accordance with Applicable Data Protection Laws.
10. Personal Data Breach
In the event of a confirmed personal data breach affecting Customer data, SeeMeSol shall: (a) notify Customer without undue delay and, in any event, within seventy-two (72) hours of becoming aware of the breach, to the extent reasonably practicable; (b) where a complete notification cannot be provided within seventy-two (72) hours, provide an initial notification within that period and follow up with complete information as soon as reasonably practicable thereafter; and (c) include in the notification, to the extent available at the time: (i) a description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected; (ii) the name and contact details of SeeMeSol’s designated Data Protection contact; (iii) a description of the likely consequences of the breach; and (iv) a description of the measures taken or proposed to address the breach and mitigate its effects.
Customer remains responsible for notifying the relevant regulatory authority and affected data subjects where legally required in Customer’s jurisdiction, unless otherwise agreed in writing.
11. Audit Rights
Where SeeMeSol acts as Processor, Customer may request reasonable written information from SeeMeSol demonstrating compliance with this DPA. Given that SeeMeSol operates on a fully virtual basis and its infrastructure is hosted on third-party cloud platforms (including AWS), formal on-site audits of SeeMeSol’s premises or data centres are not practicable. Audit rights are therefore exercised on a remote and documentary basis, subject to the following conditions: (a) Customer may submit a written audit request once per calendar year, or at any time following a confirmed personal data breach; (b) Customer must provide at least thirty (30) days’ prior written notice specifying the scope of the audit request; (c) all audit activities and findings are subject to the confidentiality obligations in the Agreement; and (d) SeeMeSol shall respond to audit requests within thirty (30) days of receipt.
SeeMeSol shall satisfy audit requests by providing one or more of the following, as appropriate to the scope of the request: (a) current ISO 27001 certification or equivalent information security certification; (b) third-party audit or attestation reports (such as SOC 2 Type II); (c) AWS compliance and security reports available through AWS Artifact; or (d) responses to a written questionnaire covering the subject matter of the audit. SeeMeSol will use reasonable efforts to address the specific compliance questions raised by Customer.
12. Termination and Data Return
Upon termination or expiry of the Agreement for any reason, SeeMeSol shall, at Customer’s written election made within thirty (30) days of the termination or expiry date: (a) return to Customer all identifiable personal data processed under this DPA in a commonly used, machine-readable format; or (b) securely delete or destroy all identifiable personal data processed under this DPA.
SeeMeSol shall provide written confirmation of return or deletion within thirty (30) days of Customer’s election. SeeMeSol may retain anonymised or aggregated data following termination for the following purposes: (a) compliance with Applicable Data Protection Laws and applicable legal or regulatory obligations; (b) platform analytics, benchmarking, and system reporting, where such data forms part of SeeMeSol’s aggregated platform-wide datasets and cannot reasonably be disaggregated or attributed to Customer; and (c) product improvement and research, provided the data does not identify any individual or Customer. For the avoidance of doubt, anonymised and aggregated data does not constitute personal data and its retention is not restricted by Applicable Data Protection Laws. Where Customer does not make an election within thirty (30) days of termination or expiry, SeeMeSol shall proceed to delete or anonymise identifiable personal data in accordance with its standard data retention schedule as set out in Section 8.
13. Liability
Nothing in this DPA increases or modifies the limitation of liability provisions set out in the Agreement. The parties’ aggregate liability for claims arising under this DPA is subject to the caps and exclusions in Article 8 (Limitation of Liability) of the SeeMeSol General Terms and Conditions.
14. Governing Law and Survival
This DPA is governed by the same law as the Agreement. It survives termination or expiry of the Agreement to the extent necessary to fulfil the parties’ data protection obligations, and continues to apply to any personal data retained by SeeMeSol following termination in accordance with Section 8.
Appendix A: Approved Sub-Processors
The following Sub-Processors are approved as at the Effective Date of this DPA. This schedule is maintained and updated at seemesol.com/legal-dpa/. Changes are notified in accordance with Section 7.
| Sub-Processor | Role |
| Amazon Web Services, Inc. | Cloud infrastructure hosting and storage (Singapore region) |
| Zoho Corporation | CRM, email, and business operations |
| Email service providers | Transactional and notification email delivery |
| Other infrastructure and analytics providers | As notified to Customer via Sub-Processor Notice in accordance with Section 7 |
This Appendix A forms part of the DPA. The full up-to-date list of approved Sub-Processors is maintained at seemesol.com/legal-dpa/
Appendix B: Data Processing Schedule
This schedule sets out the particulars of processing under this DPA. It applies across all three jurisdictions in which SeeMeSol operates. The right-hand column indicates where a particular item has jurisdiction-specific relevance. Where all three jurisdictions apply equally, the row is marked “PH • SG • ID”.
SeeMeSol’s Processing Role — Important Note
SeeMeSol operates in a hybrid role and is not solely a Processor under this DPA. The role depends on the activity being performed:
- As Processor: SeeMeSol acts as Processor when hosting, storing, and transmitting Customer data (including student/alumni data uploaded by HEIs, employer data, and job application data). In this capacity, SeeMeSol processes personal data strictly on Customer’s instructions.
- As independent Controller: SeeMeSol acts as an independent Controller in respect of: (a) anonymised and aggregated platform analytics; (b) platform governance and security monitoring; (c) fraud prevention; and (d) product improvement activities. In these activities, SeeMeSol determines the purposes and means of processing independently and is not acting on Customer’s instructions.
- Prevailing obligation: Where SeeMeSol acts in both roles simultaneously, SeeMeSol’s Processor obligations prevail for all identifiable personal data. Controller obligations apply only to data that does not directly identify any individual.
The schedule below describes the processing particulars as they apply to SeeMeSol’s Processor role. SeeMeSol’s independent Controller activities (Section 2.3) are governed by SeeMeSol’s Privacy Policy at seemesol.com/legal-privacy/
Processing Particulars
| Particular | Detail | Jurisdiction |
| Controller | HEI customers: The higher education institution identified in the applicable Order Form, acting as Controller of student and alumni personal data uploaded or managed on the Platform. Employer / corporate customers: The employer or corporate entity identified in the applicable Order Form, acting as Controller of its representatives’ data and, from the point of receipt, of application data submitted by Registered Users. Government agency customers: The government agency identified in the applicable Order Form, acting as Controller of its representatives’ data and any data it uploads or manages on the Platform. | PH • SG • ID |
| Processor | Philippines: SeeMeSol Inc. (SEC Reg: CS 2024040145668-03), 4th Floor Keyland Building, 114 Valero Street, Salcedo Village, Bel-Air, Makati City, Philippines. Singapore & Indonesia: SeeMeSol Pte Ltd (UEN: 200612420N), 105 Cecil Street #18-18, The Octagon, Singapore 069534. Note: SeeMeSol also acts as independent Controller for anonymised analytics and platform governance activities — see the hybrid role note above and Section 2.3 of the DPA. | PH • SG • ID |
| Subject Matter | Hosting, management, and facilitation of talent supply chain activities on the SeeMeSol Platform, including recruitment, career development, institutional engagement, and related services as described in the applicable Order Form. | PH • SG • ID |
| Duration of Processing | For the duration of the Agreement and, where personal data is retained after termination, for the periods specified in Section 8 of the DPA: up to 2 years post-termination for active account data; up to 90 days for backup copies. Anonymised data may be retained indefinitely as it does not constitute personal data. | PH • SG • ID |
| Nature of Processing | Collection, recording, storage, retrieval, use, disclosure by transmission, adaptation, alignment, and deletion of personal data, conducted through the SeeMeSol Platform as described in Section 4 of the DPA. | PH • SG • ID |
| Purpose of Processing | Processing is carried out for the following purposes: • Hosting and secure storage of Customer data on AWS Singapore infrastructure • Enabling employer–institution connectivity and talent matching • Routing and facilitating job and internship applications • Providing user dashboards, analytics, and reporting tools • Facilitating in-platform messaging and engagement activities • Platform security, maintenance, and regulatory compliance | PH • SG • ID |
| Categories of Personal Data | Personal data processed under this DPA may include: • Identity data: full name, username, nationality • Contact data: email address, telephone number • Profile data: CV, education history, employment history, career preferences, skills, interests • Application data: application materials, assessment results • Platform usage data: login records, activity logs, interaction data • Organisational data: employer name, job title, department (Organisational Users) | PH • SG • ID |
| Categories of Data Subjects | Data subjects whose personal data is processed include: • Students and alumni registered on the Platform • Employer and corporate representatives accessing the Platform • HEI administrators and staff managing institutional accounts • Government agency representatives accessing the Platform • Other authorised users as identified in the applicable Order Form | PH • SG • ID |
| Rights & Obligations of the Controller | The Controller’s rights and obligations under this DPA include: • Instructing SeeMeSol on the processing of personal data within the scope of the Agreement • Ensuring all required consents, notices, or legal bases for processing have been obtained before uploading data to the Platform • Responding to data subject rights requests in respect of data for which it is Controller • Notifying SeeMeSol promptly of any data subject request requiring SeeMeSol’s assistance • Cooperating with SeeMeSol in any regulatory investigation relating to data processed under this DPA • Ensuring Authorised Users comply with the Platform Terms of Use and applicable data protection laws | PH • SG • ID |
| Cross-Border Transfer Mechanism | Personal data is hosted in Singapore (AWS Singapore region). Where cross-border transfers occur, SeeMeSol relies on one or more of the mechanisms in Section 5 of the DPA: contractual safeguards, data subject consent, or performance of contract necessity, as applicable to the jurisdiction of the data subject. | PH • SG • ID |
| Retention Period | As set out in Section 8 of the DPA. Active account data: duration of Agreement plus 2 years. Backup copies: purged within 90 days of account deletion. Anonymised data: retained indefinitely. Customer may request earlier deletion under Section 12. | PH • SG • ID |
| NPC Registration (PH) | SeeMeSol Inc. is registered with the Philippines National Privacy Commission (NPC) as a Personal Information Controller. This schedule satisfies the written particulars requirement under Section 16(b) of RA 10173 and Rule 9 of its Implementing Rules and Regulations. | PH only |
| Data Intermediary Agreement (SG) | This DPA constitutes the data intermediary agreement required under Section 4(2) of the Singapore Personal Data Protection Act 2012 (PDPA). SeeMeSol Pte Ltd processes personal data on behalf of Customer in accordance with Customer’s instructions as set out in this DPA. | SG only |
| Data Processing Agreement (ID) | This DPA constitutes the written data processing agreement required under Indonesia’s Personal Data Protection Law (Law No. 27 of 2022). SeeMeSol Pte Ltd processes personal data on behalf of Customer strictly in accordance with Customer’s instructions. SeeMeSol will update this schedule as implementing regulations are finalised. | ID only |
This Appendix B forms part of the DPA. The three jurisdiction-specific rows at the foot of the table serve as the written record required under each applicable law and should be read together with Sections 1–14 of the DPA.
